Skip to main content

End-to-end encryption

Mozilla accounts offers an end-to-end encryption support feature for OAuth reliers by deriving a strong encryption key from user's password. Keep in mind that Mozilla accounts does not provide a storage solution, it is up to you to use the generated key and encrypt the data with that key.

WebExtensions

To use this feature in WebExtensions you need to do the following:

  1. Register an OAuth client and an OAuth app scope with Mozilla accounts
  2. Install the fxa-crypto-relier library into your WebExtension
  3. Follow the documentation to trigger the Mozilla accounts login screen
  4. Consume the derived key after the successful login

Examples

You can find an example of this feature in the TestPilot Notes source code. Here's a simplified diagram of a scoped key generated for a WebExtension:

An example of a key generated by Mozilla accounts:

The generated key can be imported using existing WebCrypto APIs:

function shared_key(key) {
  return crypto.subtle.importKey(
    'jwk',
    { kty: key.kty, k: key.k.replace(/=/, '') },
    'AES-KW',
    true,
    ['wrapKey', 'unwrapKey']
  );
}